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in the Claims : 

The claims are as follows; 

1 . (Previously presented) A method of operating an intrusion detection system for detecting an 
intrusion of a protected network attachment according to at least one business rule, said method 

comprising the steps of: 

awaiting an occurrence of a next update time of the intrusion detection system, said next 
update time being a time at which at least one validity condition of the at least one business rule 
is checked; 

responsive to the occurrence of the next update time, checking the at least one validity 
condition of the at least one business rule to determine whether a provision of any business mlc 
of the at least one business rule is a newly operative provision that lias first become operative or 
gone into effect since an occurrence of a last previous update time at which the at least one 
validity condition of the at least one business rule was checked, said newly operative provision 
prescribing an alteration of an intrusion set that the provision applies to; 

if the checked provision is the newly operative provision that applies to the intrusion set, 
then altering the intrusion set according to the newly operative provision. 

2. (Original) The method of claim 1 , wherein the validity condition is a temporal validity 
condition. 
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3. (Original) The method of claim 1, wherein the validity condition is a network validity 
condition, 

i 

4. (Previously presented) Thetncthod of claim 1, wherein the validity condition includes a 
multiple temporal specification, a multiple network-descriptive specification, or a multiple 
temporal sped fication and a multiple network-descriptive specification. 

5-8, (Canceled) 

9. (Original) A method of operating an intrusion detection system according to a set of business 
rules, comprising the steps of: 

awaiting an update time of the intrusion detection system; 

responsive to occurrence of an update time, checking validity conditions of the set of 
business rules to determine whether a provision of any of the set of business rules is a newly 
operative provision; 

for each newly operative provision, checking an intrusion set to determine whether the 
newly operative provision applies to the intrusion set; and 

i f the new provision applies to the intrusion set, altering the intrusion set according to the 

newly operative provision. 
10-12, (Canceled) 
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13. (Original) The method of claim 9, wherein the step of altering the intrusion set includes the 
step of altering a signature of the intrusion set. 

14. (Original) The method of claim 9, wherein the step of altering the intrusion set includes the 
step of altering a threshold of the intrusion set. 

15. (Original) The method of claim 9, wherein the step of altering the intrusion set includes the 
step of altering an action of the intrusion set. 

16. (Original) The method of claim 9, wherein the step of altering the intrusion set includes the 

4 

step of altering a weight of Ihc intrusion set. 

17. (Original) The method of claim 9, wherein the update time is a scheduled time. 

18. (Original) The method of claim 9, wherein the update time is one of a plurality of update 
times that occur substantially periodically. 

19. (Original) The method of claim 9, wherein the update lime is a computed update time. 

20. (Previously presented) The method of claim 1, wherein the at least one business rule 
consists of exactly one business rule. 
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21 . (Previously presented) The method of claim 1 , wherein the at least one business rule 
consists of a plurality of business rules. 

22. (Previously presented) The method of claim 1, wherein the protected network attachment 
comprises a computer, a server, a workstation, or a combination thereof. 

23. (Previously presented) The method of claim 1, wherein the next update time is a scheduled 
time. 

24. (Previously presented) The method of claim 1, wherein the next update time is one update 
time of a plurality of update times that occur substantially periodically. 

25. (Previously presented) The method of claim 1, wherein the next update time is a computed 
update time. 

26. (Previously presented) The method of claim 1, wherein the step of altering the intrusion set 
includes the step of altering a signature of the intrusion set. 

27. (Previously presented) The method of claim 1, wherein the step of altering the intrusion set 
includes the step of altering a threshold of the intrusion set. 

28. (Previously presented) The method of claim 1 , wherein the step of altering the intrusion set 
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includes the step of altering an action of the intrusion set 

29. (Previously presented) The method of claim 1, wherein the step of altering the intrusion set 
includes the step of altering a weight of the intrusion set. 
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